The present invention relates to an information security technique and more specifically relates to an anomaly detection to implement security protection of a control system.
Modern societies are established on the basis of various types of infrastructures such as power supply, gas supply, water supply, railways, finance, plants and pipelines. The control systems for the foregoing socially-important infrastructures may influence largely a social economy if the control systems functions are paralyzed, and therefore have heretofore been designed and operated on the assumption that the control systems should be operated in closed systems isolated from the outside and designed under the specifications not open to the public. With recent requirements in management aspect, such as connectivity productivity improvement, and enhancement in business judgment efficiency, however, the control systems are now in the transition from the foregoing conventional systems to open systems. Products dedicated and configurations unique to the control systems have already begun to be replaced with generally-available products and standard protocols such as TCP/IP. In addition, the advancement of collaboration between control systems and collaboration between a control system and an information processing system via networks is now in progress.
With the transition to open control systems, however, the control systems are exposed to various threats that information processing systems face, such for example as vulnerability, unauthorized accesses, information leakage, viruses and worms, all of which are prevalent in generally-available products. If by any chance any of the aforementioned important infrastructures is attacked, the influence of the attack is large in scale and is wide in range. Moreover, since an industrial control system controls actuators such as pumps and valves in a plant or pipeline, a malfunction of the industrial control system may cause human damages or environmental destruction in some cases. For this reason, along with the transition into the open control system, the establishment of high-level security is demanded for protecting the control system from these threats. Moreover, if by any chance there occurs a situation suspected to be due to any of the foregoing threats, a prompt detection of an anomaly due to the threat is desired, and the performance of appropriate countermeasures against the anomaly are preferred.
Since the foregoing problems such as vulnerability and unauthorized access have been occurring in information processing systems, security techniques applied to the information processing systems are considered to be effective also on the control systems to some extent. As one of the security techniques for information processing systems, Japanese Patent No. 4521456 (Patent Literature 1) discloses an information processing apparatus configured to distribute security policies to management target information processing apparatuses. The security policies herein are used to control the operations of the management target information processing apparatuses. In addition, Japanese Patent Application Publication No. 2007-274027 (Patent Literature 2) discloses a remote operation system with which a recovery service through remote control can be easily introduced. However, since the industrial control systems have features different from those of the information processing systems, simple application of the security techniques used in the information processing systems is not sufficient in some cases. In such cases, it is not possible to promptly detect an anomaly suspected to be due to any of the foregoing threats and to take countermeasures against the anomaly.
Meanwhile, recent information technology (IT) services have paid attention to a configuration management database (CMDB) in order to centralize management of information on management target components and to provide necessary information when necessary. The CMDB is a database for retaining and managing, as configuration items (CI), components including resources such as hardware and software, documents, incident history information and human resources, all of which are targets managed by service management, thereby allowing one to know about these components (Patent Literatures 3 and 4).